By using AWS re:Post, you agree to the Terms of Use
/Network Setup - 2 on-prem locations 1 AWS region/

Network Setup - 2 on-prem locations 1 AWS region


Hi, I would like to know what would be the best possible option in terms of complexity and cost for the scenario below that we are trying to implement for a client. Customer A has all web apps deployed on-prem and has clients that come through a co-located VPN based network(say ClientNet network) to access those apps. Now all these apps will be deployed in AWS regions(Prod and Non-prod vpc-s) so in essence Customer A will now be on AWS and all these clients will need to access these apps on AWS via this ClientNet network. At the same time, there will be some to and from communication between AWS VPC-s and Customer A's network for stuff that will still be hosted on-prem like Active Directory and other COTS. Can this be achieved without creating 2 separate Direct Connects or 2 separate VPN-s? By 2 separate DC-s I mean - one DC between ClientNet and AWS and one DC between Cutomer A one-prem and AWS and the same applies for VPN if we were to replace DC with VPN. Can TGW be used to consolidate this one just one connection whether its DC or VPN that can assessed later based on requirements for security and bandwidth?

1 Answers


It is probably best if you discuss this with your account's Solutions Architect but here are some general guidelines:

  • If you are worried about time to market and need to setup connectivity quickly then VPN would be easy and quick way to setup connectivity to AWS
  • Note that IPSEC VPN over the internet is a best effort solution - meaning there is no SLA and it is prone to issues
  • If you want predictable latency and reliable path to AWS with SLA, Monitoring etc then DirectConnect (DX) is the answer
  • You could also have DX as Primary and VPN is Secondary/Failover path for high availability
  • With AWS managed VPN there is a bandwidth limitation of 1.25 Gbps, if you terminate it on a VirtualPrivateGateway (VGW) if you do decide to use TransitGateway you can use ECMP and bundle Multiple VPN Tunnels to get more aggregate bandwidth
  • If you are looking for a scalable solution then TransitGateway is the answer, you can setup Hub and Spoke connectivity to multiple VPCs - TGW is a regional construct but you can do Inter as well as Intra-region TGW Peering and consolidate all connectivity within AWS regions.
  • You mentioned 1 Region in the subject but in future if you do expand to multi-region architecture you can then think of DX + DXGW +TGW architecture, DirectConnect Gateway is a global construct and can give you connectivity to upto 3 TGWs in 3 different regions.

Answer to your main question:

Can TGW be used to consolidate this one just one connection whether its DirectConnect or VPN that can assessed later based on requirements for security and bandwidth?

  • Yes, you can use TransitGateway to consolidate all the connectivity from your on-premises to AWS:
    • It supports Site-to-site VPN (Over the internet or Over DX Public VIF)
    • Connectivity via DX using Transit VIF
    • Provides inter or intra region connectivity
    • SD-WAN connectivity options using Connect attachment

Lastly, I recommend going through the AWS Hybrid Connectivity Whitepaper which has several reference Connectivity models described:

Hope this helps.

answered 22 days ago
reviewed 22 days ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions